Joker Spyware Found in 24 Google Play Apps

google play bug bounty

Google has kicked 24 apps off of its official Android app marketplace after spyware was discovered in them.

A new spyware has been making the rounds in Android apps on Google Play, infecting victims post-download to steal their SMS messages, contact lists and device information. In addition to stealing victims’ information, the malware also stealthily signs them up for premium service subscriptions that could quietly drain their wallets.

The malware, dubbed “the Joker” after one of its command-and-control (C2) domain names, has been seen over the past few weeks in 24 malicious apps – with a total of 472,000 installs – on the official Android app marketplace, warn researchers. A Google spokesperson told Threatpost that the apps have since been removed from Google Play.

“The described trojan employs notably stealthy tactics to perform quite malicious activities on Google Play, while hiding within the advertisement frameworks and not exposing too much of its malicious code out in the open,” said researcher Aleksejs Kuprins, in an analysis of the malware posted this week. “This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible.”

A list of the malicious apps (with their package names) can be found here, and include apps such as “Ignite Clean,” “Leaf Face Scanner” and “Soby Camera.”

The trojan, first spotted in June 2019, is hidden in the advertisement frameworks utilized by the 24 apps, which aggregate and serve in-app ads. After the apps are installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background.

Behind the scenes, the app loads a second-stage Dalvik Executable file (DEX), which is a code file for the Android operating system. The file in turn drops the payload, which includes capabilities to snap up SMS messages, contact lists and device information from the victim’s handset.

Making matters worse, the malware automatically signs up victims for premium service subscriptions for various advertisements. “For example, in Denmark, Joker can silently sign the victim up for a 50 DKK/week service (roughly ~6,71 EUR),” said Kuprins. “This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions.”

As a means for anti-detection, the malware also receives dynamic code and commands over HTTP and runs that code via JavaScript-to-Java callbacks: “Such an approach provides an extra layer of protection against static analysis, since a lot of instructions in this case are not hard-coded into the malicious app on Google Play,” said Kuprins – and since they aren’t hard-coded, it makes is more difficult for researchers to analyze them.

The malware targets users in 37 countries, including China, France, Germany, U.S. and the U.K., using a list of country codes. If the victim has a SIM card from one of these countries, the malware will execute the second-stage payload.

joker malware trojan

Countries targeted by Joker malware

“The majority of the discovered apps target the EU and Asian countries, however, some apps allow for any country to join,” said Kuprins. “The [user interface] of C2 panel and some of the bot’s code comments are written in Chinese, which could be a hint in terms of geographical attribution.”

Joker is only the latest malicious app with spyware capabilities to be discovered on Google’s official app marketplace. In August, a music-streaming app offered on Google Play, harboring spyware that stole victims’ contacts, files and SMS messages, made its way onto the official Android app marketplace not once, but twice.

Earlier in 2019, Google Play removed least 85 fake apps harboring adware, disguised as game, TV and remote-control simulator apps. Once downloaded, the fake apps hide themselves on the victim’s device and continued to show a full-screen ad every 15 minutes. Last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to Wi-Fi signal boosters that had been downloaded up to 7.5 million times from the Google Play marketplace. And, an Android app booby-trapped with malware was recently taken down from Google Play in November — after being available for download for almost a year.

That’s despite efforts by Google to bolster app security and privacy for Google Play, with the launch of new bug bounty incentives and through other attempts.

Kuprins for his part urged Google Play visitors to be wary of the permissions requested by any app.

“We recommend paying close attention to the permission list in the apps that you install on your Android device,” he said. “Obviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means that whenever you are downloading any app — you are still relying on your gut feeling to some extent.”

Suggested articles

Discussion

  • Ecko Entertainment on

    The list of apps in their package name form can be found here https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451
  • Grant on

    No, it can't. Your link is the same as embedded in the article, it's an analysis of the bot and a list of affected COUNTRIES which is next to useless. Does anyone have a list of the apps?
  • Jonathan on

    Remove the app if it's on the list of all the infected apps: Beach Camera 4.2 Mini Camera 1.0.2 Certain Wallpaper 1.02 Reward Clean 1.1.6 Age Face 1.1.2 Altar Message 1.5 Soby Camera 1.0.1 Declare Message 10.02 Display Camera 1.02 Rapid Face Scanner 10.02 Leaf Face Scanner 1.0.3 Board Picture editing 1.1.2 Cute Camera 1.04 Dazzle Wallpaper 1.0.1 Spark Wallpaper 1.1.11 Climate SMS 3.5 Great VPN 2.0 Humour Camera 1.1.5 Print Plant scan Advocate Wallpaper 1.1.9 Ruddy SMS Mod Ignite Clean 7.3 Antivirus Security - Security Scan,App Lock Collate Face Scanner

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.